From 1069b4ab22eca5eea3d01992f1153a05fcf01c75 Mon Sep 17 00:00:00 2001 From: Vinnie Falco Date: Fri, 1 Dec 2017 12:11:41 -0800 Subject: [PATCH] Update reports for hybrid assessment --- CHANGELOG.md | 6 ++++++ doc/qbk/01_intro.qbk | 29 +++++++++++++++++++++++++++-- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c7a0c77..e7cf89f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +Version 144-hf1: + +* Update reports for hybrid assessment + +-------------------------------------------------------------------------------- + Version 144: * Fix websocket permessage-deflate negotiation diff --git a/doc/qbk/01_intro.qbk b/doc/qbk/01_intro.qbk index a3475705..d06643a4 100644 --- a/doc/qbk/01_intro.qbk +++ b/doc/qbk/01_intro.qbk @@ -101,7 +101,32 @@ for tirelessly answering questions on [section Reports] [block''''''] -[section WebSocket] +[section Security Review (Bishop Fox)] + +Since 2005, [@https://www.bishopfox.com/ Bishop Fox] has provided +security consulting services to the Fortune 1000, high-tech startups, +and financial institutions worldwide. +Beast engaged Bishop Fox to assess the security of the Boost C++ Beast HTTP/S +networking library. The following report details the findings identified during +the course of the engagement, which started on September 11, 2017. + +The assessment team conducted a hybrid application assessment of the Beast +library. Bishop Fox’s hybrid application assessment methodology leverages +the real-world attack techniques of application penetration testing in +combination with targeted source code review to thoroughly identify +application security vulnerabilities. These fullknowledge assessments +begin with automated scans of the deployed application and source code. +Next, analyses of the scan results are combined with manual review to +thoroughly identify potential application security vulnerabilities. In +addition, the team performs a review of the application architecture and +business logic to locate any design-level issues. Finally, the team performs +manual exploitation and review of these issues to validate the findings. + +[@https://vinniefalco.github.io/BeastAssets/Beast%20-%20Hybrid%20Application%20Assessment%202017%20-%20Assessment%20Report%20-%2020171114.pdf [*Beast - Hybrid Application Assessment 2017]] + +[endsect] + +[section WebSocket (Autobahn|Testsuite)] The [@https://github.com/crossbario/autobahn-testsuite Autobahn WebSockets Testsuite] @@ -114,7 +139,7 @@ verification and performance and limits testing. Autobahn|Testsuite is used across the industry and contains over 500 test cases. -[@https://vinniefalco.github.io/boost/beast/reports/autobahn/index.html [*Autobahn|Testsuite WebSocket Results]] +[@https://vinniefalco.github.io/BeastAssets/reports/autobahn/index.html [*Autobahn|Testsuite WebSocket Results]] [warning Version 0.7.6 of Autobahn|Testsuite contains a